Security Issues, Attacks and Countermeasures in Layered IoT Ecosystem


Ajeet Singh
N D Patel


Internet of Things (IoT) applications consist mainly of a group of small devices with sensing and/ or actuation
capabilities, working collaboratively to provide a specific functionality. IoT applications are becoming vital part of
our daily lives in various areas such as home automation, industrial automation, energy sector, healthcare sector
and smart transportation. Security is a term that is used to encompass the notions such as integrity, confidentiality,
and privacy. A more prominent understanding of the Internet of Things (IoT) is that – it transmits data over the
global internet and gives many services in many domains. It facilitates the machines and gadgets to communicate
with each other. IoT appliances have been facing several issues, therefore we identify variety of service domains
and their vulnerabilities. The main focus is on protecting the security and privacy. This paper presents an
overview of IoT models, applications in different domains, vulnerabilities, security privacy goals, possible attacks,
and their corresponding countermeasures. The objective of this paper is also to provide a survey on categorized
layer-wise attacks and countermeasures in detail. In the object layer, connectivity link Layer, several attacks
are discussed based on RFID, NFC, ZigBee, Bluetooth, and Wi-Fi protocols. In the Transport Network layer,
we have classified variety of attacks based on RPL, 6loWPAN, TCP/UDP, and IPv4/IPv6. Similarly, In the
Session Communication, Data Aggregation Storage, Business Model, and Application layers, we have discovered
considerable number of attacks for each layer.


How to Cite
Ajeet Singh, & N D Patel. (2023). Security Issues, Attacks and Countermeasures in Layered IoT Ecosystem. International Journal of Next-Generation Computing, 14(2).


  3. Abad, C. L. and Bonilla, R. I. 2007. An analysis on the schemes for detecting and preventing arp cache poisoning attacks. In 27th International Conference on Distributed Computing Systems Workshops (ICDCSW’07). IEEE, 60–60. DOI:
  4. Abare, G. and Garba, E. 2019. A proposed model for enhanced security against key reinstal- lation attack on wireless networks. International Journal of Scientific Research in Network Security and Communication 7, 3, 21–27.
  5. AbdAllah, E. G., Hassanein, H. S., and Zulkernine, M. 2015. A survey of security attacks in information-centric networking. IEEE Communications Surveys & Tutorials 17, 3, 1441– 1454. DOI:
  6. Ahmad, M. S. 2010. Wpa too! DEF CON 18.
  7. Alqahtani, A. H. and Iftikhar, M. 2013. Tcp/ip attacks, defenses and security tools. In- ternational Journal of Science and Modern Engineering (IJISME) 1, 10.
  8. Arafat, M. Y., Alam, M. M., and Alam, M. F. 2015. A practical approach and mitiga- tion techniques on application layer ddos attack in web server. International Journal of Computer Applications 975, 8887.
  9. Asadian, H. and Javadi, H. H. S. 2018. Identification of sybil attacks on social networks using a framework based on user interactions. Security and Privacy 1, 2, e19. DOI:
  10. Asim, M. and Iqbal, W. 2016. Iot operating systems and security challenges. International Journal of Computer Science and Information Security 14, 7, 314.
  11. Atzori, L., Iera, A., and Morabito, G. 2010. The internet of things: A survey. Computer networks 54, 15, 2787–2805. DOI:
  12. Babik, M., Prelz, F., Froy, T., Grigoras, C., Chudoba, J., Finnern, T., Idiculla, T., Dewhurst, A., Kelsey, D., Ohrenberg, K., et al. 2017. Iop: Ipv6 security. In J. Phys.: Conf. Ser. Vol. 898. 102008. DOI:
  13. Banday, M. T. 2019. Security in context of the internet of things: A study. In Cryptographic Security Solutions for the Internet of Things. IGI Global, 1–40. DOI:
  14. Becker, A. and Paar, I. C. 2007. Bluetooth security & hacks. Ruhr-Universit¨at Bochum.
  15. Bella¨ıche, M. and Gre´goire, J.-C. 2012. Syn flooding attack detection by tcp handshake anomalies. Security and Communication Networks 5, 7, 709–724. DOI:
  16. Benzidane, K., Khoudali, S., Fetjah, L., Andaloussi, S. J., and Sekkaki, A. 2019. Application-based authentication on an inter-vm traffic in a cloud environment. Interna- tional Journal of Communication Networks and Information Security 11, 1, 148–166. DOI:
  17. Bijalwan, A., Wazid, M., Pilli, E. S., and Joshi, R. C. 2015. Forensics of random-udp flooding attacks. Journal of Networks 10, 5, 287. DOI:
  18. Bittau, A., Handley, M., and Lackey, J. 2006. The final nail in wep’s coffin. In 2006 IEEE Symposium on Security and Privacy (S&P’06). IEEE, 15–pp. DOI:
  19. Brahanyaa, S. and Anbarasi, L. J. 2018. Classification of snmp network dataset for ddos attack prevention. In 2018 IEEE International Conference on Computational Intelligence and Computing Research (ICCIC). IEEE, 1–5. DOI:
  20. Caneill, M. and Gilis, J.-L. 2010. Attacks against the wifi protocols wep and wpa. Journal, no. December .
  21. Chang, C.-C. and Nguyen, N.-T. 2016. An untraceable biometric-based multi-server authen- ticated key agreement protocol with revocation. Wireless Personal Communications 90, 4, 1695–1715. DOI:
  22. Chattha, N. A. 2014. Nfc—vulnerabilities and defense. In 2014 Conference on Information Assurance and Cyber Security (CIACS). IEEE, 35–38. DOI:
  23. Chen, J., Diao, W., Zhao, Q., Zuo, C., Lin, Z., Wang, X., Lau, W. C., Sun, M., Yang, R., and Zhang, K. 2018. Iotfuzzer: Discovering memory corruptions in iot through app- based fuzzing. In NDSS. DOI:
  24. Choi, M.-K., Robles, R. J., Hong, C.-h., and Kim, T.-h. 2008. Wireless network security: Vulnerabilities, threats and countermeasures. International Journal of Multimedia and Ubiquitous Engineering 3, 3, 77–86.
  25. Chou, T.-S. 2013. Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology 5, 3, 79. DOI:
  26. Christodorescu, M., Jha, S., Seshia, S. A., Song, D., and Bryant, R. E. 2005. Semantics- aware malware detection. In 2005 IEEE Symposium on Security and Privacy (S&P’05). IEEE, 32–46. DOI:
  27. Collantes, M. I. M., El Massad, M., and Garg, S. 2016. Threshold-dependent camouflaged cells to secure circuits against reverse engineering attacks. In 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI). IEEE, 443–448.
  28. Das, R., Menon, V., and Morris, T. H. 2018. On the edge realtime intrusion prevention system for dos attack. In 5th International Symposium for ICS & SCADA Cyber Security Research 2018 5. 84–91. DOI:
  29. De Vivo, M., Carrasco, E., Isern, G., and de Vivo, G. O. 1999. A review of port scanning techniques. ACM SIGCOMM Computer Communication Review 29, 2, 41–48. DOI:
  30. Deka, R. K., Bhattacharyya, D. K., and Kalita, J. K. 2019. Granger causality in tcp flooding attack. IJ Network Security 21, 1, 30–39.
  31. Deogirikar, J. and Vidhate, A. 2017. Security attacks in iot: A survey. In 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC). IEEE, 32– 37. DOI:
  32. Fan, X., Susan, F., Long, W., and Li, S. 2017. Security analysis of zigbee.
  33. Farha, F. and Chen, H. 2018. Mitigating replay attacks with zigbee solutions. Network Security 2018, 1, 13–19. DOI:
  34. Farooq, M. U., Waseem, M., Khairi, A., and Mazhar, S. 2015. A critical analysis on the security concerns of internet of things (iot). International Journal of Computer Applica- tions 111, 7. DOI:
  35. Ferna´ndez-Carame´s, T., Fraga-Lamas, P., Sua´rez-Albela, M., and Castedo, L. 2017. Reverse engineering and security evaluation of commercial tags for rfid-based iot applica- tions. Sensors 17, 1, 28. DOI:
  36. Francis, L., Hancke, G., Mayes, K., and Markantonakis, K. 2010. Practical nfc peer- to-peer relay attack using mobile phones. In International Workshop on Radio Frequency Identification: Security and Privacy Issues. Springer, 35–49. DOI:
  37. Fu, X., Gao, Y., Luo, B., Du, X., and Guizani, M. 2017. Security threats to hadoop: Data leakage attacks and investigation. IEEE Network 31, 2, 67–71. DOI:
  38. Gavrichenkov, A. 2015. Breaking https with bgp hijacking. Black Hat. Briefings.
  39. Ge, Q., Yarom, Y., Cock, D., and Heiser, G. 2018. A survey of microarchitectural tim- ing attacks and countermeasures on contemporary hardware. Journal of Cryptographic Engineering 8, 1, 1–27. DOI:
  40. Genova, P., Engler, M., Grigorov, S., Jurova, M., Kadrev, B., Schmid, M., Trendafilov, T., Yordanov, D., and Zarembo, I. 2013. Cross-site request forgery protection. US Patent App. 13/325,111.
  41. Green, J. 2014. The internet of things reference model. In Internet of Things World Forum.
  42. –12.
  43. Gupta, N., Jain, A., Saini, P., and Gupta, V. 2016. Ddos attack algorithm using icmp flood. In 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom). IEEE, 4082–4084.
  44. Hameed, S., Jamali, U. M., and Samad, A. 2016. Protecting nfc data exchange against eavesdropping with encryption record type definition. In NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium. IEEE, 577–583. DOI:
  45. Hernandez, G., Arias, O., Buentello, D., and Jin, Y. 2014. Smart nest thermostat: A smart spy in your home. Black Hat USA, 1–8.
  46. Holmes, D. 2013. Mitigating ddos attacks with f5 technology. F5 Networks, Inc, 2099–2104.
  47. Hongach Jr, W. J. 2018. Mitigating security flaws in the tcp/ip protocol suite. Ph.D. thesis, Utica College.
  48. Hossain, M. S., Paul, A., Islam, M. H., and Atiquzzaman, M. 2018. Survey of the protection mechanisms to the ssl-based session hijacking attacks. Network Protocols & Algorithms 10, 1, 83–108. DOI:
  49. Hu, Q., Du, B., Markantonakis, K., and Hancke, G. P. 2019. A session hijacking attack against a device-assisted physical layer key agreement. IEEE Transactions on Industrial Informatics. DOI:
  50. Hu, Q. and Hancke, G. P. 2017. A session hijacking attack on physical layer key generation DOI:
  51. agreement. In 2017 IEEE International Conference on Industrial Technology (ICIT). IEEE, 1418–1423.
  52. Huang, L., Gao, C., Zhou, Y., Zou, C., Xie, C., Yuille, A., and Liu, N. 2019. Upc: Learning universal physical camouflage attacks on object detectors. arXiv preprint arXiv:1909.04326 . DOI:
  53. Hummen, R., Hiller, J., Wirtz, H., Henze, M., Shafagh, H., and Wehrle, K. 2013. 6lowpan fragmentation attacks and mitigation mechanisms. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks. ACM, 55–66. DOI:
  54. Karpin´ski, M., Korchenko, A., Vikulov, P., Kochan, R., Balyk, A., and Kozak, R. 2017. The etalon models of linguistic variables for sniffing-attack detection. In 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). Vol. 1. IEEE, 258–264. DOI:
  55. Kaushal, K. and Sahni, V. 2016. Early detection of ddos attack in wsn. International Journal of Computer Applications 134, 13, 0975–8887. DOI:
  56. Kizza, J. M. 2017. Mobile systems and their intractable social, ethical and security issues. In DOI:
  57. Ethical and Social Issues in the Information Age. Springer, 321–338.
  58. Kodada, B. B., Prasad, G., and Pais, A. R. 2012. Protection against ddos and data modifica- tion attack in computational grid cluster environment. International Journal of Computer Network and Information Security 4, 7, 12. DOI:
  59. Korhonen, N.-P. 2017. Nfc payment & security threats.
  60. Kulkarni, G., Shelke, R., Sutar, R., and Mohite, S. 2014. Rfid security issues & chal- lenges. In 2014 International Conference on Electronics and Communication Systems (ICECS). IEEE, 1–4.
  61. Lehtonen, M., Ostojic, D., Ilic, A., and Michahelles, F. 2009. Securing rfid systems by detecting tag cloning. In International Conference on Pervasive Computing. Springer, 291–308. DOI:
  62. Lin, C.-H., Liu, J.-C., Huang, S.-Y., Lee, C.-Y., and Chen, C.-R. 2010. A detection scheme for flooding attack on application layer based on semantic concept. In 2010 International Computer Symposium (ICS2010). IEEE, 385–389. DOI:
  63. Lonzetta, A., Cope, P., Campbell, J., Mohd, B., and Hayajneh, T. 2018. Security vulnerabilities in bluetooth technology as used in iot. Journal of Sensor and Actuator Networks 7, 3, 28. DOI:
  64. Mashal, I., Alsaryrah, O., Chung, T.-Y., Yang, C.-Z., Kuo, W.-H., and Agrawal,
  65. D. P. 2015. Choices for interaction with things on internet and underlying issues. Ad Hoc Networks 28, 68–90. DOI:
  66. Mateen, A. and Waheed, A. 2016. The role of virtualization techniques to overcome the challenges in cloud computing. International Journal of Computer Applications 143, 9, 7–11. DOI:
  67. Mayzaud, A., Badonnel, R., and Chrisment, I. 2016. A taxonomy of attacks in rpl-based internet of things.
  68. McGuire, M., Ogras, U., and Ozev, S. 2019. Pcb hardware trojans: Attack modes and detection strategies. In 2019 IEEE 37th VLSI Test Symposium (VTS). IEEE, 1–6. DOI:
  69. Meena, S., Daniel, E., and Vasanthi, N. 2013. Survey on various data integrity attacks in cloud environment and the solutions. In 2013 International Conference on Circuits, Power and Computing Technologies (ICCPCT). IEEE, 1076–1081. DOI:
  70. Merget, R., Somorovsky, J., Aviram, N., Young, C., Fliegenschmidt, J., Schwenk, J., and Shavitt, Y. 2019. Scalable scanning and automatic classification of TLS padding oracle vulnerabilities. In 28th USENIX Security Symposium ( USENIX Security 19). 1029–1046.
  71. Miller, C. 2012. Exploring the nfc attack surface. Proceedings of Blackhat .
  72. Minar, N. B.-N. I. and Tarique, M. 2012. Bluetooth security threats and solutions: a survey.
  73. International Journal of Distributed and Parallel Systems 3, 1, 127.
  74. Mishra, B. K. and Keshri, N. 2013. Mathematical model on the transmission of worms in wireless sensor network. Applied Mathematical Modelling 37, 6, 4103–4111. DOI:
  75. Modi, C., Patel, D., Borisaniya, B., Patel, A., and Rajarajan, M. 2013. A survey on security issues and solutions at different layers of cloud computing. The journal of supercomputing 63, 2, 561–592. DOI:
  76. Mosenia, A. and Jha, N. K. 2016. A comprehensive study of security of internet-of-things.
  77. IEEE Transactions on Emerging Topics in Computing 5, 4, 586–602.
  78. Nakhila, O., Attiah, A., Jin, Y., and Zou, C. 2015. Parallel active dictionary attack on wpa2-psk wi-fi networks. In MILCOM 2015-2015 IEEE Military Communications Confer- ence. IEEE, 665–670. DOI:
  79. Ndibwile, J. D., Govardhan, A., Okada, K., and Kadobayashi, Y. 2015. Web server protection against application layer ddos attacks using machine learning and traffic au- thentication. In 2015 IEEE 39th Annual Computer Software and Applications Conference. Vol. 3. IEEE, 261–267. DOI:
  80. Nenvani, G. and Gupta, H. 2016. A survey on attack detection on cloud using supervised learn- ing techniques. In 2016 Symposium on Colossal Data Analysis and Networking (CDAN). IEEE, 1–5. DOI:
  81. Oliveira, L. M. L., Rodrigues, J. J., de Sousa, A. F., and Denisov, V. M. 2016. Network admission control solution for 6lowpan networks based on symmetric key mechanisms. IEEE transactions on industrial informatics 12, 6, 2186–2195. DOI:
  82. Otgonbaatar, U. 2015. Evaluating modern defenses against control flow hijacking. Tech. rep., MIT Lincoln Laboratory Lexington United States.
  83. Padgette, J., Scarfone, K., and Chen, L. 2012. Guide to bluetooth security: Recommen- dations of the national institute of standards and technology (special publication 800-121 revision 1). DOI:
  84. Pal, S., Sikdar, B., and Chow, J. H. 2017. Classification and detection of pmu data manipu- lation attacks using transmission line parameters. IEEE Transactions on Smart Grid 9, 5, 5057–5066. DOI:
  85. Papp, D., Ma, Z., and Buttyan, L. 2015. Embedded systems security: Threats, vulnerabili- ties, and attack taxonomy. In 2015 13th Annual Conference on Privacy, Security and Trust (PST). IEEE, 145–152. DOI:
  86. Parkkinen, J. and Hyvarinen, M. A. 2014. Restricting and preventing pairing attempts from virus attack and malicious software. US Patent 8,787,899.
  87. Patel, N., Mehtre, B., and Wankar, R. 2021. Things-to-cloud (t2c): A protocol-based nine-layered architecture. In Inventive Communication and Computational Technologies. Springer, 789–805. DOI:
  88. Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. 2014. Uninvited connections: a study of vulnerable devices on the internet of things (iot). In 2014 IEEE Joint Intelligence and Security Informatics Conference. IEEE, 232–235. DOI:
  89. Pongle, P. and Chavan, G. 2015. A survey: Attacks on rpl and 6lowpan in iot. In 2015 International conference on pervasive computing (ICPC). IEEE, 1–6. DOI:
  90. Qadeer, M. A., Iqbal, A., Zahid, M., and Siddiqui, M. R. 2010. Network traffic analysis and intrusion detection using packet sniffer. In 2010 Second International Conference on Communication Software and Networks. IEEE, 313–317. DOI:
  91. Rathi, N., Ghosh, S., Iyengar, A., and Naeimi, H. 2016. Data privacy in non-volatile cache: Challenges, attack models and solutions. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE, 348–353. DOI:
  92. Raza, S., Duquennoy, S., Chung, T., Yazar, D., Voigt, T., and Roedig, U. 2011. Se- curing communication in 6lowpan with compressed ipsec. In 2011 International Conference on Distributed Computing in Sensor Systems and Workshops (DCOSS). IEEE, 1–8. DOI:
  93. Rebecchi, F., Boite, J., Nardin, P.-A., Bouet, M., and Conan, V. 2019. Ddos protec- tion with stateful software-defined networking. International Journal of Network Manage- ment 29, 1, e2042. DOI:
  94. Reddy, S. V., Ramani, K. S., Rijutha, K., Ali, S. M., and Reddy, C. P. 2010. Wireless hacking-a wifi hack by cracking wep. In 2010 2nd International Conference on Education Technology and Computer. Vol. 1. IEEE, V1–189.
  95. Rose, S. H. and Jayasree, T. Detection of jamming attacks in a cluster wsn using statistical approach.
  96. Saravanan, K., Vijayanand, L., and Negesh, R. 2012. A novel bluetooth man-in-the-middle attack based on ssp using oob association model. arXiv preprint arXiv:1203.4649 .
  97. Saxena, M., Shaw, R. N., and Verma, J. K. 2019. A novel hash-based mutual rfid tag authentication protocol. In Data and Communication Networks. Springer, 1–12. DOI:
  98. Sen, J. 2010. A survey on wireless sensor network security. arXiv preprint arXiv:1011.1529 .
  99. Sen, J. 2012. Security in wireless sensor networks. Wireless Sensor Networks: Current Status and Future Trends 407. DOI:
  100. Shabani, F., Gharaee, H., and Ghaffari, F. 2018. An intelligent rfid-enabled authentication protocol in vanet. In 2018 9th International Symposium on Telecommunications (IST). IEEE, 587–591. DOI:
  101. Shakdhe, A., Agrawal, S., and Yang, B. 2019. Security vulnerabilities in consumer iot applications. In 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (Big- DataSecurity), IEEE Intl Conference on High Performance and Smart Computing,(HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). IEEE, 1–6. DOI:
  102. Singh, B. 2017. Design of an intrusion detection system to detect the black hole attack using less energy consumption in wsn.
  103. Singh, V. P., Jain, S., and Singhai, J. 2010. Hello flood attack and its countermeasures in wireless sensor networks. International Journal of Computer Science Issues (IJCSI) 7, 3, 23.
  104. Stan, O., Bitton, R., Ezrets, M., Dadon, M., Inokuchi, M., Ohta, Y., Yamada, Y., Yagyu, T., Elovici, Y., and Shabtai, A. 2019. Extending attack graphs to repre- sent cyber-attacks in communication protocols and modern it networks. arXiv preprint arXiv:1906.09786 .
  105. Steele, J. 2019. Abating padding oracle attacks. US Patent 10,277,611.
  106. Stolbunov, A. 2009. Klein’s and ptw attacks on wep. NTNU, Department of Telematics.
  107. Swati, M. S. B. S. D. and Thakare, S. S. D. V. Study of security challenges in multilayered structure and various attacks on iot.
  108. Tian, C., Chen, C., Duan, Z., and Zhao, L. 2019. Differential testing of certificate valida- tion in ssl/tls implementations: An rfc-guided approach. ACM Transactions on Software Engineering and Methodology (TOSEM) 28, 4, 1–37. DOI:
  109. Tsira, V. and Nandi, G. 2014. Bluetooth technology: Security issues and its prevention. Int.
  110. J. Comput. Appl. Technol 5, 1833–1837.
  111. Valenta, L., Adrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman,
  112. J. A., and Heninger, N. 2017. Measuring small subgroup attacks against diffie-hellman. In NDSS.
  113. Varshney, G., Misra, M., and Atrey, P. K. 2016. A survey and classification of web phishing detection schemes. Security and Communication Networks 9, 18, 6266–6284. DOI:
  114. Vidgren, N., Haataja, K., Patino-Andres, J. L., Ramirez-Sanchis, J. J., and Toiva- nen, P. 2013. Security threats in zigbee-enabled systems: vulnerability evaluation, practi- cal experiments, countermeasures, and lessons learned. In 2013 46th Hawaii International Conference on System Sciences. IEEE, 5132–5138. DOI:
  115. Xiaocong, Q. and Jidong, Z. 2010. Study on the structure of “internet of things (iot)” business operation support platform. In 2010 IEEE 12th International Conference on Communication Technology. IEEE, 1068–1071.
  116. Xie, W., Jiang, Y., Tang, Y., Ding, N., and Gao, Y. 2017. Vulnerability detection in iot firmware: A survey. In 2017 IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS). IEEE, 769–772. DOI:
  117. Yu, J., Kim, E., Kim, H., and Huh, J. 2016. A framework for detecting mac and ip spoofing attacks with network characteristics. In 2016 International Conference on Software Security and Assurance (ICSSA). IEEE, 49–53. DOI:
  118. Zhang, C., Peng, J., and Xiao, J. 2019. An advanced persistent distributed denial-of-service attacked dynamical model on networks. Discrete Dynamics in Nature and Society 2019. DOI: